Last week, Google detailed a list of five iOS vulnerabilities discovered by its security team. The post by Google described the attack as “potentially hitting thousands of people,” triggering sort of a panic amongst iOS users. To assuage concerns, Apple has released an official statement, clarifying a number of things.
Addressing Google’s post directly, Apple clarifies that the attack was a very narrowly focused one, and not something designed to be “en masse.” The exploit was targeting a very specific population in China. The websites where the exploits were hosted only kicked into action after the user visiting the website met a number of conditions. What served to cause concern amongst users was Google’s claim that the attacks had been going on for two years, whereas Apple states that their analysis has shown that the attacks were operational only for a brief period of time, up to 2 months. Lastly, Google revealed the chain of exploits 6 months after Apple had already patched them via a software update.
Apple’s statement seems to imply that Google’s disclosure of the exploits was worded in a way so as to cause concern amongst the iOS user community. Apple’s statement reads that “Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real-time,” stoking fear among all iPhone users that their devices had been compromised.” Interestingly, Google’s post does not disclose that the exploits were targeted at the Uighur community, an omission which is likely to have led to the mass panic.
While Apple’s statement seems to downplay the impact of the vulnerabilities in iOS, it does not address the fact that there were 5 exploits which could be used to monitor real-time activities of users. While the highlight issue targeted a small community within China, it could have just as well been used anywhere else in the world, to spy on any number of people. While Apple has claimed that the company takes user privacy very seriously, the presence of such exploits on iOS does leave room for many questions around the degree of Apple’s commitment to user privacy.